Usage
A docker compose file is provided to make it simple to run both the agent and the Go test app.
# Source the testing environment
$ source env.sh
# Start the app and agent containers using docker-compose
$ docker-compose up --pull --build --attach appYou can also pass custom tags with DD_TAGS and a custom service name with DD_SERVICE.
Attacking the app
You should be able to attack the app on port 7777 of your machine =)
For example:
-
LFI attempt:
curl -v --path-as-is 'http://127.0.0.1:7777/../../../etc/passwd' -
SQLi attempt:
curl -v 'http://127.0.0.1:7777/sql?k=select%20*%20from%20users%20where%201%3D1%20union%20select%20*%20from%20cb' -
SQLi vulnerability:
curl -v 'http://localhost:7777/products?category=%27%20union%20select%20*%20from%20user%20%27' -
Attack attempt through the HTTP body:
curl -v -XPUT -d 'your json body payload' 'http://localhost:7777/api/catalog/'
Note: you can forge the ip you want by adding -H "X-Forwarded-For: <any_ip>" to your curl command
User blocking
-
Register a user on 'http://127.0.0.1:7777/registration.html'
-
Login on 'http://127.0.0.1:7777/login.html'
-
Go to 'http://127.0.0.1:7777/auth'. If the user is blocked, the blocking page should be displayed